'Money Mule' Recruitment Network Exposed

In a blog post earlier this week, Security Fix examined the crucial role of "money mules" -- people in the United States who are willingly or unwittingly recruited to help cyber fraudsters steal money from businesses. In this column, we'll peer a bit deeper into how mules are recruited, and how they often communicate with their employers.

Security Fix interviewed one of the mules hired to receive money from Sanford School District, a small school system in Colorado that was robbed of $117,000 last month when hackers used the district's online banking credentials to send sub-$10,000 payments to this mule and 16 others.

The mule I spoke with said she was hired by a company called the Scope Group Inc., which claimed to be a nearly 20-year-old investment firm operating out of New York. The Scope Group did not return e-mails seeking comment, but there is no listing for a current company by that name in the New York State business register. Also, the company's Web site is hosted in China, and its domain name -- www.scope-group.cn-- ends with a Chinese country code. In addition, that domain name was registered on June 25, 2009, just a few weeks before the fraud against Sanford School District was perpetrated.

The Sanford mule -- who spoke on the condition of anonymity out of fear of reprisals by the hacked company and perhaps by the hackers themselves -- said the Scope Group approached her via e-mail, saying it had found her resume on Careerbuilder.com, and would she be interested in a work-at-home job acting as a "financial manager"? Having worked as a payroll manager in a previous job, the mule said she thought it was a perfect fit. Besides, she said, she'd been out of work since March.

The mule said that after responding to the initial recruitment e-mail, she was directed to create a profile at the Web site www.scope-group.cn. She was then asked to provide a large amount of personal and financial data, including her name, address, Social Security number, bank account and routing numbers, as well as a scanned copy of her drivers license. During the enrollment, she was prompted several times to make sure that her bank would allow her to withdraw up to at least $10,000 a day.

When she initially received a $9,815 transfer from Sanford School District's account, her managers sent her a notice through the scope-group.cn site that the funds had been deposited into her bank account (see screen shot below). According to the task notice sent to her through her Scope Group account, the money was transferred with the notation "Conejos School District 6J," one of the schools in the Sanford School District (for more on that attack, see Cyber Crooks Target Public and Private Schools).

What follows is a series of screen shots of and excerpts from messages she was sent leading up to receiving that transfer.

After signing up, the woman was told to log in to her account at the Scope Group Web site every weekday morning from 9 a.m. to 11 a.m. local time, and to periodically check her "tasks" and "messages" folders -- more or less a Web-based e-mail inbox --- for news of incoming deposits.

Below is the body of text taken from a message sent to our mule -- and ostensibly all Scope Group employees who complete the signup process and are preparing to start their first day on the job.

My name is Thomas Chavers. I am Personnel Manager of Scope Group Inc. and will be your supervisor.

First of all I would like to congratulate you on the beginning of your work with Scope Group Inc. as a Financial Manager.

Having gained operational experience in Scope Group Inc., I recommend all new employees to treat seriously every small detail they may encounter in the course of their work. You have a real chance to obtain quick promotion in the nearest future if our management is satisfied with your job results.

Please strictly follow my instructions, do your best to perform your functional duties properly, be responsible and careful and the results will not take long to appear!

REMEMBER that you will be working with funds belonging to other people. Delays are unacceptable as we sign legally binding contracts with our clients.

According to the agreement (see EXHIBIT A: COMPENSATION) we have concluded, Scope Group Inc. is entitled to cutting back on agent's commission in case of payment processing terms violation by the agent. In case Financial Agent unreasonably delays transferring the money he/she received at his/her bank account for the period exceeding one business day, we may impose sanctions on him/her (if only the delay was not caused by any Force Majeur circumstances) and apply to arbitration and claim for reimbursement of the amount transferred to his/her account or for compensation of any other damage, if any, caused by such a delay.

We guarantee that you'll get your first task within 5 business days if you observe the following conditions:

- Be always available via cell phone during business hours (preferred).

Scope Group Inc. has a right to cancel the contract if these conditions are not observed. If you observe these conditions only partially you may be at risk of getting discharged after the Probationary Period.

The Scope Group apparently wants employees to know that if they get any bright ideas -- like trying to make off with a $9,500 deposit and neglecting to wire the money as instructed -- that the company won't hesitate to alert the FBI and/or other appropriate law enforcement agencies. Mules also are reminded that their employers have a great deal of information about them, including their IP address (not to mention every other piece of data one might need to steal a mule's identity at some date in the future). Again, from the introductory e-mail sent to our mule:

"IMPORTANT: In the past we registered attempts of fraud and as the amounts of transactions handled by our financial managers are quite considerable, we closely cooperate with the police, FBI, Criminal Police Organization in all the countries of the world. Scope Group Inc. has a security department that supervises such issues.Your every visit on the site is logged by our system and your IP address is saved.

***We recommend to use 2-3 different locations to complete the transaction.

After cash withdrawal you are to make transfer(s) at your local Western Union location(s). Commission (8 %) should be deducted from the received money. WU fees along with all other costs, such as bank fees, transportation costs, etc. are covered by you and are deducted from your commission.

The Sanford mule I interviewed said the bank account she gave the Scope Group to receive deposits was a business account, and that her bank's fraud division closed it immediately after it learned the $9,815 transfer she received was fraudulent. They also changed her business account balance to -$888,888.88, a figure the mule said her bank told her was assigned to accounts as an indication that they are to receive no future debits or credits.

"I had to prove to my bank that I was a victim of fraud," the mule told Security Fix. "I had to fax them the receipts for the wire transfers I sent after I received the money, to prove that I didn't just keep it. They said that since I was the victim of fraud, the bank would normally file an insurance claim, and that's how they would recoup the money."

I should note that because these fraudsters tend to use generic-sounding names for their fake corporations, there are a number of businesses which have names similar to The Scope Group that have nothing to do with the perpetrators of this crime. I spoke with one gentleman from a legitimate Scope Group Inc. in Houston, who said the company had received close to 30 e-mails and phone calls over the past few weeks from curious or angry people wondering whether they were involved in the scam.

@wiredog -- yes, that's correct. they are instructed to keep 8 percent of the fraudulent deposit, but the cost of sending the wires via western union and moneygram is the mules' responsibility, so effectively cuts into their commission.

it's actually pretty costly to wire the money, b/c the mules are typically instructed to split each deposit into three different wires, and to go to different Western Union offices to wire the money. see the screen shot at this post for an idea of what i'm talking about here

Usually there is little recourse for the fraud victims to recover funds once they sent it out. The Moneygram/Western Union wire is pretty much immediate, while the supposed "cheque" from the fraud will bounce after a few days. The cheque in question could be a stolen one or a fake one.

The bottom line to all these frauds is that it works towards the victim's own greed in quick money.

Recently, even the BBC show Heir Hunters was used to promote certain "next-of-kin" inheritance scams. ( http://www.sophos.com/blogs/sophoslabs/v/post/6622 ) Using a prominent TV show does add a bit more plausibility just like the claim of "finding your resume on Career Builders"

Though careerbuilder.com does have alerts about these money mule jobs: http://www.careerbuilder.com/JobSeeker/Info/Fraud.aspx I do not believe that they are taking sufficient action to combat this epidemic. In my opinion, careerbuilder does not adequately vet employer applicant accounts. These criminals gain easy access to massive databases of resumes for targeting potential money mules. This activity has been going on for a long time.

First of all, these folks are already being deni-
grated by having their gullibility discussed here-
in, so i think it's going a bit overboard to refer
to them as ``the mule'' and such, though it does
make a convenient shorthand for folks whose identi-
ties you're trying to protect, admittedly

Secondly, since the banks are not going to back up
their business and non-profit customers against
fraud, maybe they can all at least agree to create
a new category of embargo-ed funds: Besides those
available for immediate withdrawal and those
waiting for some check to be cleared, maybe a
category for funds that can't be immediately
wired anywhere--or payable to Western Union or
whatever other wire-transfer agency (if any others
there be)

This might recoup them enough on not having their
retail customers bilked and having to recoup them
(or on fraud insurance premiums or wherever the
savings would come from) to make up for their
loss of their debit-card overdraft insurance non-
sense, even. Well, maybe not that much, and maybe
they should take the imputed non-loss and put it into
a trust fund, anyway, either to remunerate their
non-retail customers who still get victimized or
to hire bounty hunters to get back the ill-gotten
goods from the perpetrators or maybe to sue wire-
transfer agencies for negligence--and maybe thus
encourage them to exercise diligence or try to get
the money back from the bad guys or whatever

A very similar deplorable event happened to me... i received the funds in the Mail and deposited the check and made the required inquiries about when the funds were cleared ... it was about 4 days after the deposit of 5,000 (-/+) that the bank said yes, they've cleared.
[The original notice to me: 'they found my name on Job Search board' and i think is was CAreerBuilder. THEY communicated by E-mail and phone.]
i went to the bank, took out the cash less my $280 commission and send it to someone in Oklahoma. The original check came from New York - i didn't think much of it being unemployed and desperate.
The funds i rec'vd went to purchase filing systems to complete the work processing station i would have in my home to do this great little side job.
NOT 45 min after i left the bank with the $5000.00 the bank called me and said the check was a fraud - and further dialogue, i was responsible for all of the money and i'm currently paying $141 a month to salvage my credit and my daughters credit who was inadvertently still on my bank acct as she opened it for me before i moved up here to Billings, MT from Los Angeles, a couple years prior.
i despise the bank for reneging, they said it was good they gave me the cash and it should be their responsibility for clearing what they later told me 'well that's the Federal Clearance not the actual clearance' crap. Liars and Crooks themselves for authorizing check clearance and then forcing me to repay or jeopardize my daughters credit.
Never bank at Stockman Bank.
1. i don't think any of the parties involved are doing anything about these scams. I told the police and they came by, took all my info and never heard from the BPD again.
2 Rich People don't get scammed. Just the poor and desperate.

a) An individual joins one of these mule scam sites and receives a check. That check features the transit / branch numbers of the account of someone who was compromised by Zeus. So to the recipient bank it appears as a legitimate account (because it is) and they process the transaction.
b) Conversion to cash plus sending via Western Union means: no trace.

Questions:

a) Doesn't Western Union bear some responsibility for executing large transactions of this sort? Especially given that they have become the money wire platform of choice for all manner of criminal operations in the past four years or so, why hasn't any law enforcement agency started cracking down on Western Union, or requiring them to reveal recipient information? (Unless of course that also is fake, in which case what does this say about Western Union?)

b) Can't Western Union be subpoena'd by someone to divulge who collected the money? At which location? Providing which ID?

c) If a bank account holder suddenly, and with no prior evidence of having done so before, deposits and withdraws a check amounting to $10,000 or so, shouldn't this raise the alarm at the bank? If they do it a second time a few days later: shouldn't this FURTHER raise the alarm?

Clearly these criminals are exposing huge, huge holes in the current baking and money wire industries. They must have researched all of this for months before beginning to plan or execute any of this.

After reading about these scams on Security Fix, I became alarmed and contacted my bank to ensure there was a notice on my account forbidding any wire transfers that weren't initiated by a telephone call or visit to the bank.

As it turns out, I didn't need to do so: I live and bank in Canada, where banks do not allow wire transfers to be initiated/carried out through Internet banking.